MCR-72-41 (Vol II) Copy No. 


FINAL REPORT 



'■t 


in 


Space Shuttle Propulsion Systems 
On-Board Checkout and Monitoring 


System Development Study (Extension) 

•123570) SPACE SJTHT'TT T? DDAnmcmT, • 


S?^TPMS R n2 2 nnI 0) SPACE SHUTTLE PfiOPOISION 
ON -BOARD CHECKOUT AND MONITOBING 
SYSTEM DEVELOPMENT STUDY (EXTENSION) 

VOLUME 2: GUIDELINES FOB FOR (Martin 

Mari et t a corp.) Apr. 1972 79 p CSCL 22B G3/31 


N7 2- 2 4916^ 


Unclas 

15612 


VOLUME II 
GUIDELINES FOR INCORPORATION 
OF THE ONBOARD CHECKOUT AND MONITORING 
FUNCTION ON THE SPACE SHUTTLE 


J 


APRIL 1972 


Contract NAS8-25619 
DRL No. 187, Rev. A 
Line Item No. 3 (Issue 2) 


Prepared For 

George C. Marshall Space Flight Center 
Marshall Space Flight Center, Alabama 


/VFXmTt/V MARIETTA 


DENVER DIVISION 



,li A * 

lc-> 


US 


produced by •, <( 

IATIONAL TECHNICAL 
(FORMATION SERVICE. 

U S Department of Commerce 
Springfield VA 22151 




& 



Final Report 


SPACE SHUTTLE PROPULSION SYSTEMS 
ON-BOARD CHECKOUT AND 
MONITORING SYSTEM DEVELOPMENT STUDY 

VOLUME II - GUIDELINES FOR 
INCORPORATION OF THE ONBOARD CHECKOUT 
AND MONITORING FUNCTION ON THE SPACE SHUTTLE 


APRIL 1972 


Approved by 



R. W. VandeKoppeT 
Program Manager 


Contract NAS8-25619 
DRL No. 187, Rev. A 
Line Item No. 3 (Issue 2) 


Prepared For 

George C. Marshall Space Flight Center 
Marshall Space Flight Center, Alabama 


MARTIN MARIETTA CORPORATION 
Denver Division 
Denver, Colorado 80201 



FOREWORD 


This final report was prepared by the Martin Marietta 
Corporation under extension to Contract NAS8-25619, "Space 
Shuttle Propulsion Systems On-Board Checkout and Monitoring 
System Development Study", for the George C. Marshall Space 
Flight Center of the National Aeronautics and Space Admin- 
istration. The report is comprised of two volumes: 


Volume I 


Summary and Technical Results 


Volume II - Guidelines for Incorporation of the On- 
Board Checkout and Monitoring Function 
on The Space Shuttle. 
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1.0 SCOPE 


1.1 Content - This document provides guidelines for incorporation 
of the Onboard Checkout and Monitoring Function into the designs of the 
Space Shuttle propulsion systems. Hereinafter, the Onboard Checkout 
and Monitoring Function is referred to as OCMF. These guidelines con- 
sist of and identify supporting documentation; requirements for formula- 
tion, implementation and integration of OCMF; associated compliance 
verification techniques and requirements; and OCMF terminology and 
nomenclature. 

1.2 Applicability - These guidelines are directly applicable to 
the incorporation of OCMF into the design of Space Shuttle propulsion 
systems and the equipment with which the propulsion systems interface. 
The techniques and general approach as identified herein also are 
generally applicable to OCMF incorporation into the design of other 
Space Shuttle systems. 

1.3 Intended Use - These guidelines shall be used by the National 
Aeronautics and Space Administration and the Space Shuttle contractors 
during the basic design phase of the Space Shuttle program. These 
guidelines shall be used to insure that the OCMF is incorporated into 
the basic design of the propulsion systems and associated interfacing 
systems. The applicable hardware, software and system design criteria 
documents and specifications shall incorporate the requirements of this 
document. 
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3.0 REQUIREMENTS 

This section specifies the approach, constraints and considerations 
that shall be used in the definition and implementation of the OCMF. 

3.1 Performance - This section specifies the functions that the 
OCMF shall perform, and the system analysis that shall be conducted to 
define the checkout and monitoring requirements. 

3.1.1 Checkout and Monitoring Functions - The primary functions 
that comprise the OCMF for the Space Shuttle propulsion system are 
checkout, monitoring, control, and postflight evaluation. 

Checkout shall be performed prior to each functional operation 
of the propulsion system (whether in flight or on the ground), during 
postflight safing and purging, and during maintenance operations. 

Monitoring shall be performed during all phases of the Shuttle 
mission; that is, during preflight, inflight, postflight safing and 
purging, and maintenance operations. 

Control shall be provided during all mission phases to start, 
stop, or otherwise regulate the operation of the propulsion systems. 

Postflight evaluation shall be conducted during the interval 
between landing and maintenance operations. It is comprised of post- 
flight evaluation of inflight data, inspections of the flight hardware, 
and checkout during postflight safing and purging. 

3. 1.1.1 Checkout - Checkout of the propulsion system consists of 
verifying its status, redundancy and operability. Checkout shall be 
performed prior to each start of propulsion system functional operation, 
during postflight safing and purging, and during maintenance operations. 

3. 1.1. 1.1 Prestart Checkout - Prestart checkout shall verify 
that the propulsion system will meet its functional requirements during 
its next operation. The prestart checkout function is applicable to 
all phases (ground and flight) of the Space Shuttle mission that require 
propulsion system functional operations. The OCMF shall have the capa- 
bility of performing verification of correct prestart status, avionics 
checks, redundancy verification and functional testing. 

3. 1.1. 1.1.1 Status Verification - Prior to each operation of the 
propulsion system, the OCMF shall verify that the parameters associated 
with the elements of the propulsion system are within specified limits 
to ensure successful initiation of systems operation. Examples of such 
parameters include tank gas pressures and valve positions. 
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3. 1.1. 1. 1.2 Redundancy Verification - Redundancy verification is 
the process of verifying that all redundant functional elements of the 
propulsion system and the elements associated with OCMF are operable. 
Complete redundancy verification shall be performed prior to each flight. 
For mechanical elements, the demonstration of normal functioning of the 
redundant elements in the previous flight, during postflight safing and 
purging, during maintenance retest, and/or during preflight operations 
shall be sufficient for redundancy verification. For the operational 
Space Shuttle vehicle, prestart checkout by functional tests for re- 
dundancy verification of mechanical elements shall be conducted only 

if the redundant element was not operationally verified during the 
operations mentioned above. However, capability shall exist in the 
basic design of the mechanical systems and the OCMF for redundancy 
verification by functional testing. The operability of the redundant 
paths in electrical and electronic elements shall be verified prior 
to flight. (This does not preclude inflight redundancy verification 
of electrical and electronic elements such as by self-checks.) 

3. 1.1. 1.1. 3 Avionics Checks - A complete prestart checkout of the 
electronic and electrical subsystems associated with the propulsion 
system and the OCMF shall be performed prior to each functional opera- 
tion of the propulsion system. This checkout shall include such checks 
as verification of electrical power quality, data management subsystem 
self-checks, verification of the electrical elements of the sensors, 
and sequencing. 

3. 1.1. 1.1. 4 Functional Testing - The OCMF and the propulsion 
system shall have the capability for functionally testing the elements 
of the propulsion system prior to flight to verify redundancy and 
operability. The capability to test for internal and external leakage 
shall be included. 

3. 1.1. 1.2 Postflight Checkout - Postflight checkout consists of 
the final assessment of the status and operability of the propulsion 
system before the maintenance cycle. It consists of monitoring the 
operation of the propulsion elements that are normally operated during 
the safing and purging operations. Verification of redundancy (of 
elements not operated in flight) and the lack of performance degrada- 
tion are the principal objectives of this checkout. Proper operation 
of functional elements during this phase shall be sufficient to pre- 
clude preflight functional testing of those elements to verify operabil- 
ity or redundancy (unless an element has been affected by maintenance 
actions). 
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3. 1.1. 1.3 Maintenance Retest - The OCMF shall have the capability 
to verify the integrity of interfaces and readiness status of the Line 
Replaceable Units (LRUs) that are functional elements, following their 
installation during maintenance operations. This capability shall in- 
clude verification of functional propulsion elements affected by the 
LRU maintenance. Capability shall be provided to accomplish the veri- 
fication by performing functional and leak tests. Capability shall 
also be provided to control and monitor individual functional elements 
in or out of normal sequences. Capability for individual component 
test may be waived only by formal approval of the Procurement Agency. 

3. 1.1.2 Monitoring - Monitoring is the OCMF activity of data 
acquisition and processing, and is applicable to all phases of the 
Space Shuttle mission. The monitoring function, in accordance with 
the following guidelines, shall consist of fault detection, fault 
isolation, trend analysis, data recording, and display. The parameters 
to be monitored, and the intervals and frequencies of monitoring, shall 
be derived from the analysis defined in Paragraph 3. 1.2. 2. 

Inflight monitoring shall be accomplished by onboard equipment 
without reliance on a data interface external to the vehicle. 

3. 1.1. 2.1 Fault Detection - The fault detection function shall 
provide data for emergency detection, for redundancy management, and 
for the related crew displays. Fault detection shall be accomplished 
by onboard equipment for all failure modes identified by the Failure 
Modes and Effects Analysis of Paragraph 3. 1.2. 2. Exceptions shall be 
taken only with Procurement Agency concurrence and shall be documented 
as such. 

Emergency detection is the detection of any condition requiring 
automatic action to avoid a potentially catastrophic effect, or detec- 
tion of any condition requiring special precautions or emergency 
procedures by the crew. The OCMF shall provide emergency detection 
for loss or impending loss of critical functions and for flight 
safety parameters exceeding safe limits. Emergency detection shall 
be accomplished within a time interval which permits the necessary 
actions to be taken to preclude a catastrophic effect of the failure. 

The emergency detection provisions, including the associated caution 
and warning displays, shall comply with the redundancy requirements 
defined by the Space Shuttle program specifications. 

3. 1.1. 2. 2 Fault Isolation - Diagnosis for fault isolation shall 

be accomplished with onboard equipment for redundancy management control 
and for use in maintenance operations. 
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Redundancy management is comprised of reacting to the detection of 
a failure, impending failure, or other potential emergency condition by 
activating the appropriate redundant function, path or element. The 
capability for redundancy management shall be provided in the propulsion 
system and associated subsystems, including the capability for fault 
isolation to the lowest level (element, path or function) at which re- 
dundancy is provided. Fault isolation for redundancy management shall 
be accomplished as soon after fault detection as necessary to activate 
the redundant element,., path or function' before the fault progresses. 

Loss of redundancy shall be reported to the crew. Fault isolation shall 
be accomplished for maintenance operations by identifying the faulty 
Line Replaceable Unit (LRU) and recording the data. 

.3. 1.1. 2. 3 Trend Analysis - The parameters to be monitored for 
trend data and the discriminants by which the data shall be evaluated 
shall be as identified by the analysis approach of Paragraph 3. 1.2. 2. 3. 
The principal purpose of trend analysis shall be to identify progressive 
deviations or degradations in performance while the system is still 
within safe operating limits. The information derived from this short 
term trend analysis shall be used in managing redundancy by' using 
redundant resources when trend analysis has predicted an imminent 
failure, and in support of maintenance operations by identifying 
elements which have an unacceptable probability of failure during 
the next operation or mission. Short term trend analysis shall be 
conducted by onboard equipment. 

Long term trend analysis, such as the compilation of fleet trend 
data, can be performed by ground equipment or by onboard equipment. 

The extent to which long term trend analysis is accomplished by ground 
or onboard equipment shall be determined by conducting the tradeoff 
analyses identified in Paragraph 3. 2. 2. 2. 8. 

3. 1.1. 2. 4 Data Recording - Capability shall be provided for 
processing and recording propulsion system performance data, trend 
data, fault isolation data, and component operating history data. 

The data recording requirements shall be as defined from the analysis 
defined in Paragraph 3. 1.2.2. 3. The recorded data shall be formatted 
and identified as to time and parameter to allow efficient postflight 
processing for reduction and evaluation. 

3. 1.1. 2. 5 Display - Capability shall be provided for reporting 
information to the crew. The general guideline for inflight display 
is that priority shall be placed on displaying information necessary 
for crew action or caution and warning. Included in this category 
are notification of the detection or prediction of a fault when 
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corrective actions or emergency procedures by the crew are required, 
and notification of any reduction in level of redundancy. Capability 
shall be provided to display (on a crew request basis) the fault iso- 
lation data on which automatic redundancy management decisions are 
made. The capability shall also be provided for displaying flight 
information relating to system status and performance, such as operat- 
ing modes and propellant quantities. 

3. 1.1. 3 Control - Propulsion system control is integrated with 
the onboard checkout and monitoring function. Control capability 
shall be provided to initiate, modify, terminate or otherwise regu- 
late the operation of the propulsion system during all phases of the 
Space Shuttle mission. Specific control requirements shall be derived 
from the analyses identified in Section 3.1.2. In general, the pro- 
pulsion system is controlled by stimuli originating in associated 
subsystems, such as ignition and thrust commands originating in the 
avionics and/or crew subsystems. While control signals are generally 
low level electronic signals at their origin, propulsion elements may 
require high energy stimuli from other systems such as the electrical, 
hydraulic, or pneumatic systems, or from ordnance. 

3. 1.1. 4 Postf light Evaluation - The OCMF shall support the post- 
flight evaluation activities required for the propulsion system. They 
include postflight data evaluation and postflight inspection. 

3. 1.1. 4.1 Postflight Data Evaluation - Postflight data evaluation 
is the data processing and analysis activity required to transform 
flight recorded data into the forms required by the ultimate data users. 
Requirements for postflight data evaluation include the processing of 
inflight fault isolation and trend data to identify maintenance 
actions; processing of performance data to establish vehicle and fleet 
trends; and data compilation to accure operating histories on time and 
cycle sensitive components. 

3.1. 1.4.2 Postflight Inspection - Postflight inspection includes 
visual and manual inspections of the flight hardware for evidence of 
anomalies such as hot gas leakage and structural damage or degradation. 
While postflight inspection is not a function of the OCMF, it is essen- 
tial to the identification of potential maintenance actions on the 
propulsion system and to the verification of the structural integrity 
of the propulsion system. 

To maximize the effectiveness of the ground operations, the post- 
flight inspection requirements shall be identified during the design 
cycles of the propulsion system and during -the checkout and monitoring 
requirements analyses such that they may be integrated into the design 
of the propulsion system and into coordinated postflight evaluation 
procedures. 


. 3 ; 1,2 Sy _ S-t ems Analysis Approach - The systems analysis approach 
specified herein shall be employed to ensure that the propulsion system 
design ^ is consistent with OCMF concepts, and to define the propulsion 
system s checkout and monitoring requirements. The systems analysis 
shall be comprised of assemblage of propulsion system hardware and 
functional data, analyses of the propulsion systems and elements, and 
the identification of propulsion parameters for measurement. An 
iterative process shall be employed whereby the conceptual and pre- 
liminary designs of the propulsion system shall be refined to accom- 
modate and incorporate the checkout and monitoring functions defined 
in Section 3.1.1, to eliminate propulsion system elements that are 
not amenable to fault detection and isolation with onboard equipment 
and to provide an optimized complement of measurement parameters. The 
compliance verification checkpoints and documentation requirements of 
the systems analysis are specified in Section 4.0. Figure 3. 1.2-1 
illustrates the systems analysis approach. 

3,1 - 2 * 1 -P ?-°P. u lsion System Definition - A thorough definition 
of the propulsion system shall be assembled to provide a base for the 
system analyses. Requirements for approval and documentation of the 
propulsion system definition are specified in Section 4.0. The propul- 
sion system definition shall be changed and documented in accordance 
with the iterative steps in the systems analysis. 

3. 1.2. 1.1 Function al and Operational Criteria - Functional anu 
operational criteria shall include the following: 

(a) Program Requirements : specifications, constraints, guide- 

lines, concepts and objectives to be adhered to and pursued 
in the formulation of the propulsion system and OCMF defin- 
ition. These program requirements will be supplied by the 
Procurement Agency. 

(b) Mission Requirements: for each mission phase (including 

the turnaround cycle) full descriptions including timelines 
sequences of events, and objectives. The mission require- 
ments will be provided by the Procurement Agency. 

(c) System Requirements: complete descriptions of the propulsion 

system functional operating requirements on a mission phase 
basis. These descriptions shall include the modes of propul- 
sion system operations and associated sequences, frequencies 
and durations; the interface requirements of the propulsion 
system with the other vehicle systems; and the propulsion 
system interfaces with the launch facility, propellant load- 
ing system, and ground mechanical and electrical support 
equipment at the launch pad and in the maintenance areas. 

The baseline system requirements will be provided by the 
Procurement Agency. 
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FIGURE 3. 1.2^1 PROPULSION SYSTEM DEFINITON 5- ANALYSIS APPROACH 
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3. 1.2. 1.2 Propulsion Hardware Definition - Hardware definition 
shall consist of propulsion system schematics to the component level, 
system configuration drawings, and component definitions. The system 
configuration drawings shall define propulsion system interfaces with 
other subsystems, and shall show the physical arrangement and locations 
of the propulsion hardware within the vehicle. The component defini- 
tions shall contain operating characteristics and criteria in sufficient 
detail to permit the conduct of the component analysis. For example, 
the definition of a solenoid valve shall include the following charac- 
teristics for the final iteration of the propulsion system analysis: 

Weight, volume and envelope 

Operating and/or service fluids 

Operating, proof and burst pressure 

Opening and closing response times under specified conditions 

Performance margins 

Operating and service life ratings 

Environmental ratings 

Contamination control requirements 

Mechanical interface requirements 

Electrical interface requirements 

Special considerations unique to the design, construction, 
operation and service of the component 

3. 1.2. 1.3 Control Sequence and Operational Logic Diagrams (CSOLD) ■ 
Control sequence and operational logic diagrams shall show the detailed 
sequences and conditions of operation of the propulsion systems. The 
diagrams shall contain entries for each sequential event and each con- 
dition required for a change of system, subsystem, assembly or component 
state, as well as the conditions necessary for continued operation in 
the same state. The accuracy with which a condition must be known shall 
be included. 

All interfaces, modes of operations and redundancies shall be 
incorporated into these diagrams. The diagram shall encompass pre- 
start, start, operating, shutdown and post-operation conditions. The 
feedback or influence of events and conditions on each other, the system 
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operation, and interfacing functions shall be indicated. CSOLDs are a 
key source for establishing data acquisition, data processing, and 
stimuli requirements. 

An example is presented below to demonstrate the general technique 
of generating CSOLDs, their basic content (not the required level of 
detail), and the integral relationship of checkout, monitoring, and control. 

Figure 3. 1.2-2 is a simplified CSOLD for the operation 
of an oxygen conditioning subsystem represented by Figure 
3.1.2-3. For the purposes of this example, assume that pre- 
start checkout has been successfully completed, the subsystem 
isolation valves (VI, V5 , and V7 for Section 1) have been 
opened and verified, that under normal conditions only one 
section of the subsystem operates at any one time, and that 
the three identical sections of the subsystem are operated 
in progression so that each section can be expected to be 
operated during each flight. 

The first block in Figure 3. 1.2-2 represents the logic that 
enables the subsystem, selects the next section to be opera- 
ted, conducts readiness checks, and opens the isolation valves. 

The times of subsystem operation start and stop are control- 
led by the pressure in T1 (see first and last decision dia- 
monds). The frequency at which the pressure in T1 is required 
to be measured (sample rate) to determine when to start the 
subsystem will probably be considerably less than the rate at 
which it is sampled to determine when to shut the subsystem 
down. 

The block labeled Subsystem A indicates that the value of the 
pressure in T1 may be required for other reasons, such as the 
fault isolation of another subsystem. 

The operation of the selected section is initiated by opening 
the appropriate pump suction valve (V8 for SI). The verifi- 
cation of valve response may require the evaluation of param- 
eters such as position, position versus time, line pressure, 
temperature, or solenoid current and/or voltage traces. The 
line labeled NO from the V8 Response question diamond (and 
the other abnormal condition lines) leads to fault isolation, 
subsystem or section shutdown, and redundancy management sequences. 

If V8 responds properly, the start sequence is continued by com- 
manding the gas generator oxygen feed valve (V2) open and verify- 
ing it. The remainder of the start sequence, represented by a 



PRESTART CHECKOUT, 
SUBSYSTEM ENABLE, 

AND REDUNDANT SYSTEM 
SELECTION 



Figure 3. 1.2-2 Simplified Control Sequence and Operational Logic Diagram 
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Figure 3. 1.2-3 Oxygen Conditioning Subsystem 
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single block, would consist of opening the fuel feed valve (V6) 
and igniting the gas generator in the proper sequence. The 
timing and other conditions required to complete the start 
sequence shall be identified. 

To fulfill the requirements of the monitoring function, a 
number of parameters may be monitored during steady-state 
operation, such as gas generator chamber pressure and temp- 
erature; turbopump speed and discharge pressure; power train 
lube level, pressure and temperature; power train vibration 
level, power train bearing temperature, etc. Some or all of 
these same parameters may be monitored at the same .or dif- 
ferent sample rates, at other times (during start, shutdown, 
etc.) for different reasons, and using the same or different 
discriminants to evaluate them. 

The steady-state operation and monitoring .would continue until 
either the pressure in T1 attained the specified level or 
until a fault was detected, at which time the appropriate 
shutdown, fault isolation and redundancy management sequence 
would be executed. 

Fault isolation sequences shall be based on the LRU identifi- 
cations (paragraph 3. 1.2. 2.1) and the level of redundancy of 
the system. 

3. 1.2. 2 System Analysis - The checkout and monitoring requirements 
for the propulsion systems shall be defined by the system analyses ap- 
proach described herein. The analyses of the propulsion systems shall 
be conducted by the propulsion design personne-1 in a coordinated effort 
with all other affected personnel. These .analyses include line replace- 
able unit identification, failure modes and effects analysis, checkout 
and monitoring functional requirements analysis, and measured parameter 
and sensor selection. In addition to the identification of the required 
measured parameters and their associated sensors, the system analysis 
shall define data processing requirements, recording and display require- 
ments, stimuli requirements, functional and leak test requirements, 
inspection requirements, and requirements for ground support equipment 
associated with checkout and monitoring. 

3. 1.2. 2.1 Line Replaceable Unit Identification - Propulsion sys- 
tems line replaceable units; (LRUs) shall be identified. An LRU is 
defined as a component, group of components, assembly or subsystem 
that can be removed, replaced, and retested in the maintenance area by 
competent mechanics within the constraints of the Space Shuttle turn- 
around cycle timeline. All LRUs, except those that perform no function 
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other than providing structural integrity, must be capable of being 
fault isolated. Exceptions shall be made only with formal approval 
of the Procurement Agency. 

The identification of the LRUs shall be determined through trade- 
off studies. Selection considerations shall include accessibility, 
weight, volume, complexity of the structural, mechanical and electrical 
attachments, post-installation retest requirements, and fault isolation 
capability. Examples of LRU candidates are the gas generator or a 
valve package (VI, V2) of Figure 3. 1.2-3. 

3. 1.2. 2. 2 Failure Modes and Effects Analysis - Failure modes and 
effects analysis (FMEA) shall be conducted to identify limitations in 
the propulsion system design (such as propulsion elements that are not 
amenable to fault detection with onboard equipment or require system 
break-in for checkout), to establish candidate parameters for fault 
detection and fault isolation, and to provide a basis for determining 
caution and warning display requirements. The basis for the FMEA 
shall be MSFC Drawing No. 85M03885, "Guidelines for Performing Failure 
Mode, Effects, and Criticality Analysis (FMECA) on the Space Shuttle", 
except that the criticality analysis defined therein is not required 
for propulsion system analysis for the OCMF. (This does not imply that 
the criticality analysis shall not be required by other parts of the 
contract.) The FMEA tabulation format, as presented in the referenced 
drawing, is shown in Figure 3. 1.2-4. 

The FMEA shall be iterated each time that the propulsion system 
design is modified during the system analysis and OCMF definition and 
implementation iterations. 

3 . 1 . 2 . 2 . 3 Checkout and Monitoring Functional Requirements Analysis 
This analysis, as outlined in Figure 3. 1.2-1, shall derive the imple-. 
mentation requirements for the OCMF. The approach shall consist of 
evaluating the Propulsion System Definition (Paragraph 3. 1.2.1), the 
LRU Identifications (Paragraph 3. 1.2. 2.1), and the FMEAs (Paragraph 

3. 1.2. 2. 2) to satisfy the checkout, monitoring, postflight. evaluation, 
and control function requirements of the propulsion systems. The 
result of this analysis shall be the identification of requirements 
for display, recording, trend analysis, functional and leakage testing, 
data acquisition, stimuli, data processing, simulation, and related 
ground support equipment. 

3. 1.2. 2. 3.1 Description of Results 

(a) Display Requirements - System status and hazard warning are 
the principal display requirements. The listing of display 
requirements shall identify: (1) any crew action required 
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by the display condition; (2) the recommended type of display; 
(3) the mission time period or event for which the display is 
required; and (4) the required display redundancy based on the 
criticality of the condition being displayed. The derivation 
of the display requirements shall be accomplished per the 
guidelines of Paragraph 3. 1.2. 2. 3. 2. 

(b) Recording Requirements - System status, system performance, 

fault isolation, and operating history data are the principal 
recording requirements. The identification of the data 
recording requirements shall specify: (1) the ultimate use 

of the recorded data; (2) the processing required (if any) 
prior to data recording; (3) the time of mission and period 
during which the indicated recording is required; (4) the 
peak rate at which the data must be recorded; and (5) the 
period for which recorded data must be retained. Recording 
requirements shall be derived per the guidelines of Paragraph 
3. 1.2. 2. 3. 2. 

(c) Functional and Leakage Testing Requirements - The identifi- 
cation of the checkout and monitoring requirements imposed 
by functional and leakage testing shall be included in the 
identification of the data acquisition, stimuli, recording, 
display, data processing, simulation and GSE requirements 
identified for the maintenance retest and ground checkout 
activities . 

(d) Data Acquisition Requirements - Data acquisition requirements 
shall be defined in accordance with the analyses described in 
Paragraph 3. 1.2. 2. 3. 2. The recommended format of the tabula- 
tion of these requirements and an example (T1 pressure in 
Figure 3. 1.2-3) of the information to be entered therein is 
illustrated by Figure 3. 1.2-5. 

The initial tabulation shall be made without regard to 
whether a parameter shall be obtained by direct measurement 
(measured parameter) or whether it must be calculated (derived 
parameter) from one or more measured parameters. 

The data acquisition tabulation is a composite listing that 
defines the relationship between a parameter and a propulsion 
element, the basic discriminant for evaluating acquired data, 
the rationale for acquiring data, and the interval during which 
the data is of significance. 
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(e) Stimuli Requirements - Stimuli requirements are those necessary 
to satisfy the control function of the propulsion system ele- 
ments. The specification of electrical requirements shall 
include signal identification, associated propulsion element, 
and applicable signal characteristics such as type, level, 
frequency, pulse width, repetition rate, duration, accuracy, 
time and conditions for application, maximum source impedance, 
minimum load impedance, and remarks that identify those 
conditions or characteristics not otherwise covered. 

Propulsion system power requirements and sensor reference 
voltages are not included in these requirements. Power 
requirements shall be identified in the appropriate inter- 
face control documents, and sensor reference voltage re- 
quirements shall be identified from the sensor definitions 
of Section 3.2. 

The specification of mechanical stimuli shall include all 
applicable characteristics such as force, torque, pressure, 
etc . 

(f) Data Processing Requirements - Required algorithms, compu- 
tations, comparisons, or other data processing techniques 
shall be identified for each usage of each identified pro- 
pulsion system measured parameter, and for the execution of 
propulsion system control. These specifications shall include 
the frequency at which the processing is required and any 
limitations that may be imposed on processing time. Data 
processing requirements shall be identified per the guide- 
lines of Paragraph 3. 1.2. 2. 3. 2 and 3. 1.2. 2. 4. 

(g) Related GSE Requirements - Ground support equipment related 
to the checkout and monitoring function includes those items 
necessary to support the activities of postflight checkout 
and evaluation, maintenance retest, and prestart checkout. 

The identification of these GSE requirements shall be a 
result of the analysis approach of Paragraph 3. 1.2. 2.3. 2. 

(h) Simulation Requirements - The validation of onboard computer 
programs and control sequences during preflight checkout 
requires the simulation of a number of propulsion parameters 
and conditions such as the simulation of engine thrust build- 
up, tank pressures, and so forth. Simulation requirements 
shall be identified in conjunction with the derivation of 
the prestart checkout requirements. 
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(t) Inspection Requirements - Propulsion system design requirements 

for inspection, inspection procedures, and related support equip- 
ment necessary to conduct postflight inspection shall be 
identified . 


3. 1.2. 2. 3. 2 Derivation of Results - The results described in 
Paragraph 3. 1.2. 2. 3.1 shall be derived in accordance with the analyt- 
ical approach presented herein. 

Checkout, monitoring, control and postflight evaluation are gen- 
erally dependent functions. In most cases the requirements or capabil- 
ities necessary to perform those functions are most easily and effectively 
defined simultaneously. For example, the oxygen accumulator pressure 
in Figure 3. 1.2-3 is monitored to control the operation of the oxygen 
conditioning subsystem in addition to being used for fault detection, 
fault isolation, and hazard warning display. Therefore, at the time 
that accumulator pressure is listed in the data acquisition tabulation, 
the corresponding data processing for fault detection, subsystem con- 
trol, and display should be defined. 

Data acquisition requirements shall be identified from two general 
sources. First, data acquisition parameters for fault detection, em- 
ergency detection and/or hazard warning display shall be identified 
for each recommended failure detection method identified from the results 
of the FMEA . The discriminants relating candidate parameters to specific 
failure modes shall be identified for each failure detection method. 

These discriminants are the basic source from which the corresponding 
data processing requirements shall be derived. Discriminants can be 
determined either by using the results (signatures) of extensive test- 
ing of acceptable and failed samples (including trend analysis) or 
by the understanding of the specific failure mechanisms determined by 
analytical techniques. 


Second, data acquisition requirements for status and redundancy 
verification, functional and leakage testing, fault isolation, trend 
analysis, data recording and display, simulation, and control shall 
be derived from a pha se-by- phase mission analysis using: 

Control Sequence and Operational Logic Diagrams (Para. 3. 1.2.1) 


Propulsion System Hardware Definitions 

Propulsion System Functional and Operational 
Criteria 

Checkout and Monitoring Function Definitions 
LRU Identifications 


(Para. 3. 1.2.1) 
(Para. 3. 1.2.1) 

(Para. 3.1.1) 
(Para. 3. 1.2. 2) 



Associated display, recording, data processing, ground support 
equipment and stimuli shall be' identified concurrently with the ident- 
ification of the data acquisition requirements. 

The tabulation of candidate data acquisition parameters shall be 
optimized through the process described in Paragraph 3. 1.2. 2.4. (The 
optimization consists of measured parameter and sensor selection, and 
may include the iteration of the propulsion system design to add to 
or modify the propulsion hardware or modify operating sequences for 
the purpose of implementing the OCMF.) The tabulation shall include 
operational conditions such as manual control settings, mission elapsed 
time, burn time, or any other condition (s) that must be sensed to exe- 
cute the checkout, control, and monitoring functions. 

The following paragraphs and figures illustrate the derivation 
of the checkout and monitoring requirements on an individual function 
basis . 


(a) Prestart Checkout - The prestart checkout function is defined 
in Paragraph 3. 1.1. 1.1. 

The matrix shown in Figure 3. 1.2-6 shall be used as a 
guideline to define the OCMF capabilities required for 
the prestart checkout function. The analyses indicated by 
this matrix shall be performed on a step-by-step basis for 
each mission phase in which prestart checkout is applicable. 

The primary rows identify the requirements associated with 
the prestart checkout function (status verification, redun- 
dancy verification, etc.) and the columns identify the 
checkout and monitoring capabilities necessary to satisfy 
those requirements. The secondary rows identify the source 
material that must be analyzed to make this derivation. 

Notes providing supplementary information and definitions 
of the data source code acronyms are provided at the bottom 
of the figure. 

The use of the matrix is illustrated below using the subsys- 
tem of Figure 3. 1.2-3 as an example. The purpose of the 
examples in the following material is to demonstrate the 
analysis techniques and to create an awareness of the type 
of information to look for and consider. The examples should 
not be construed as conclusions or recommended solutions to 
specific requirements. 

The X in the data acquisition column for status verification 
indicates that an examination of the control sequence and 
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Figure 3. 1.2-6 Prestart Checkout Function Requirements 
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operational logic diagrams and the propulsion hardware 
definitions (schematics in this case) are necessary to 
identify the parameters needed to verify that subsystem 
status is within specified limits to initiate operation. 

The parameters in this case would be the positions of the 
six solenoid valves (closed), the pressures and temperatures 
of the GC^, GH 2 , and LO 2 supplies, gas generator igniter 
supply voltage (less than x), and possibly igniter current 
(less than w) and pump discharge pressure (y + z) or tempera- 
ture. 

The X under data processing for the parameters identified 
above would be derived from the measured parameter selection 
process in which a determination of whether a desired para- 
meter can and should be measured directly or can and should 
be derived from one or more measured parameters. Considera- 
tions that influence this determination are whether or not 
it is possible to directly measure the desired parameter 
and the fact that the desired information may be available 
from alternate parameters that must be measured for other 
reasons. Another driving factor in this determination is 
the objective to define the most cost effective system that 
will satisfy the requirements. Examples in the subsystem 
under consideration are the positions of the pump suction 
valves (V 7, V8). Assume that all that is required to be 
known (for all reasons) is that the valves are either closed 
or sufficiently open to allow an adequate flow of LC >2 to 
the pump. A number of candidates are available for consid- 
eration either individually or in combinations. (1) Discrete 
position indicators; in this case the data processing is at 
a minimum since the transducer evaluates position directly 
and provides a go/no-go indication. This option would be 
most attractive if software design and/or computer speed or 
memory size were the principal cost drivers and the trans- 
ducers were available. (2) Solenoid current signatures 
and pump inlet pressure and/or temperature where the inlet 
parameters were required for another purpose. The data 
processing for this case would consist of analyzing the 
current signatures with the appropriate discriminants 
(rate, level, rise time) and the inlet conditions. This 
option would have appeal if suitable position indicators were 
unavailable and development costs were high, or were not cost 
effective on the basis of considerations such as weight, or 
were not capable of being fault isolated. (3) Ultrasonic 
contact sensors may be required to detect internal or external 



leakage. They may be used in conjunction with solenoid 
current signatures or with pump inlet parameters. As in 
example (2) above, the data processing would entail the 
analysis of signatures and the evaluation of inlet param- 
eters. The selection rationale would be similar to example 
( 2 ). 

Note 1 indicates that redundancy verification is required 
during prestart checkout prior to flight (not in flight). 
Paragraph 3. 1.1. 1.1. 2 further indicates that normal func- 
tioning of redundant mechanical elements demonstrated during 
the previous flight, postflight safing and purging, mainten- 
ance retest, and/or during preflight operations shall be 
sufficient for redundancy verification. Assume that only 
sections 2 and 3 of the subsystem in Figure 3. 1.2-3 had 
been operated during the previous flight. Then the opera- 
bility of section 1 would require verification on the ground 
before the next flight. It may be verified through normal 
operation if that subsystem is normally started on the ground 
and section 1 is the next sequential section to be operated, 
or it may be verified by functional testing. (Capability 
shall be provided for functional and leakage testing in any 
case.) Whether or not the section had operated on the pre- 
vious flight the solenoid valves would probably have been 
functionally operated during the postflight safing and 
purging cycle. Therefore redundancy verification may be 
limited to the verification of each check valve, the 
ignition circuitry, the turbopump assembly, and the elec- 
trical elements of the instrumentation. The verification of 
the operability of the check valves may require the addition 
of a pressure port between the valves to facilitate checkout. 
In this case the propulsion system analysis would be iterated 
to include the new component, as it would be to include any 
modifications to the basic design to facilitate functional 
testing of the turbopurap assembly. 

The X's under data acquisition and data processing for 
redundancy verification have the same meaning as they do 
for status verification. The X's under recording and 
display for redundancy verification indicate that the 
recording and display capabilities for redundancy status 
shall be identified in accordance with the program require- 
ments and the checkout and monitoring function definitions 
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(Section 3.1.1). For example, the loss of redundancy shall 
be displayed to the crew and recorded for maintenance opera- 
tions in the form of faulty LRU identification. 

The remainder of the matrix shall be used in a similar 
fashion. The identification and implementation of the pro- 
pulsion system checkout and monitoring requirements is de- 
pendent on a comprehensive understanding of the data source 
material, a systematic and thorough system analysis, and 
a coordinated effort among personnel of a variety of dis- 
ciplines from the conceptual design through the final 
design of the propulsion and associated systems. 

(b) Post fl ight Checkout - The postf light checkout function is 
defined in Paragraph 3. 1.1.1. 2. The capabilities required 
for this function are analogous to those for prestart check- 
out, described in paragraph (a) above, and for monitoring, 
described in paragraph (d) below, and shall be derived in a 
similar manner. An additional item to consider during post- 
flight checkout is the potential desirability or requirement 
to confirm certain faults that were identified inflight. 

This may preclude the possible time consuming removal and 
replacement of operable hardware by conducting a relatively 
short checkout sequence. Or, ground fault isolation may 

be required for certain faults that were unable to be iso- 
lated to an LRU level inflight (such as an open electrical 
circuit) . 

(c) Maintenance Retest - The maintenance retest function is 
defined in Paragraph 3. 1.1. 4. 

The checkout and monitoring capabilities required for the 
verification of the leakage integrity of interfaces and the 
status of replaced propulsion system LRUs shall be identi- 
fied using the same approach and from the same sources as 
defined for the prestart checkout and monitoring functions. 

The processing requirements for maintenance retest shall 
include the identification of the processing necessary to 
update the operating history records that are used to fore- 
cast scheduled maintenance activities and to establish 
functional testing requirements. 

Simulation requirements requisite to LRU status verification 
shall be derived from the control sequence and operational 
logic diagrams. For example, the status verification of a 
replaced LRU in the subsystem of Figure 3. 1.2-3 may require 



the simulation of the build-up and decay of gas generator 
chamber pressure or the simulation of pump inlet temperatures, 
etc . 

Ground support equipment requirements associated with the 
verification of the leakage integrity of the interfaces 
and status of replaced LRUs shall be identified by this 
analysis . 

Monitoring - The monitoring function is defined in Paragraph 
3. 1.1. 2. 

The matrix shown in Figure 3. 1.2-7 shall be used as a guide- 
line to identify the OCMF capabilities required for the 
monitoring function. The analyses indicated by this matrix 
shall be performed on a step-by-step basis for every mission 
phase . 

The format and use of this matrix is analogous to that des- 
cribed for the Prestart Checkout Function Requirements 
Matrix of Figure 3. 1.2-6. 

Control - Stimuli requirements and data processing require- 
ments necessary to satisfy the propulsion system control 
function shall be identified. Stimuli requirements are 
primarily derived from the propulsion component definitions 
described in Paragraph 3. 1.2. 1.2 while the data processing 
requirements are primarily derived from the control sequence 
and operational logic diagrams. The data processing require- 
ments shall include the identification of parameter discrim- 
inants on which the control sequences are based and the 
dependence on such variables as mission elapsed time, operat- 
ing mode, manual control settings, etc. 

■ EoS-tf light Evaluation - The postflight evaluation function 
is defined in Paragraph 3. 1.1. 4. The onboard processing 
capability that shall be provided for postflight data 
evaluation shall be defined in conjunction with the defini- 
tion of the onboard recording capabilities for fault isolation 
data, performance data, trend data, and operating history data. 
The processing capability shall be compatible with the selected 
recording techniques and the requirements of the data users. 
Related onboard control and display requirements, ground inter- 
faces and ground support equipment shall be identified from 
the resultant processing implementation definitions and the 
data user requirements. 
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While postflight inspection is not a function of the OCMF, 
the related propulsion system design requirements, inspec- 
tion procedures, and support equipment shall be identified 
in conjunction with the propulsion system analysis to achieve 
a fully integrated design and a coordinated postflight phase. 

3. 1.2. 2. 4 Measured Parameter and Sensor Selection - This process 
shall consist of data acquisition parameter optimization, measured 
parameter selection and optimization, and candidate sensor selection. 

The data acquisition parameter tabulation described in Paragraph 
3. 1.2. 2. 3.1 shall be optimized by eliminating non-essential parameters 
and eliminating parameters for which the same or better information is 
available from alternate sources. This is not a restriction on the use 
of redundancy either through the use of redundant sensors or by use of 
alternate parameters. Records shall be maintained to make visible the 
rationale justifying the retention or elimination of parameters. 

The optimized data acquisition tabulation consists of a listing 
of measured parameters and derived (calculated) parameters. A meas- 
ured parameter list shall be generated by selecting measured parameters 
for the derived parameters and adding them to the measured parameters 
listed on the optimized data acquisition parameter tabulation. A 
number of candidate measured parameters may exist from which a derived 
parameter may be obtained. (For example, volumetric flow rate, time, 
and propellant temperature, i.e., density, is a set of candidate 
measured parameters for deriving the parameter propellant quantity.) 

All measured parameters and sets of measured parameters which are 
candidates for deriving the required parameter shall be tabulated. 

The final selection of measured parameters for those cases where 
alternatives exist shall be made in conjunction with the implementation 
tradeoffs and selections of Section 3.2. (A driving factor in this 
selection is the relative cost effectiveness of the available sensor 
candidates and the other capabilities associated with a particular 
implementation candidate.) 

The total list of measured parameters shall then be subjected 
to an optimization process. This process shall eliminate non-essential 
measured parameters and shall eliminate those entries for which better 
information is available and has been identified. 

Candidate sensors shall be identified for each entry of the meas- 
ured parameter tabulation. Final sensor selection shall be based on 
availability and the implementation criteria described in Section 3.2. 
In a case where a candidate sensor is not available, an iteration of 
the measured parameter tabulation is required. If alternative measured 
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parameters cannot be identified, the baseline propulsion system shall 
be evaluated to determine whether or not the sensor requirement in 
question can be eliminated by propulsion redesign. If propulsion 
redesign is a viable option, then all of the foregoing analyses of 
this section shall be included in the iteration cycle. If propulsion 
redesign is not a viable option, then a sensor technology requirement 
shall be identified. 

Fundamental data processing requirements shall be identified for 
each measured parameter. These requirements shall identify the dis- 
criminants by which each usage of each measured parameter shall be 
evaluated during the time of its significance; the frequency at which 
the processing for each case is required; and the restrictions on 
processing time for each case. The allocation of processing capability 
and its implementation shall be per the guidelines of Section 3.2. 
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3 ° 2 Checkout and Mon i toring Function Implementation - The guide- 
lines delineated in Paragraph 3.2,2 shall be used to incorporate the 
propulsion checkout and monitoring function requirements into the 
implementation criteria of those onboard and ground equipment elements 
(defined in Paragraph 3.2.1) that perform or contribute to propulsion 
checkout, monitoring and control. 

An integrated approach between the propulsion and avionics dis- 
ciplines shall be followed to achieve the optimum implementation of 
the propulsion checkout and monitoring requirements. A coordinated 
effort shall be conducted to integrate the selected sensors into the 
propulsion system design; minimize unique propulsion stimuli and exci- 
tation requirements; minimize unique specifications that result in 
special sensors, measurement techniques, displays, crew operations, 
etc.; select measured parameters and techniques that best satisfy 
the requirements; and resolve situations where the requirements of 
the baseline propulsion system are not amenable to available checkout 
and monitoring techniques. If propulsion system configuration changes 
are necessary to achieve the objectives of this effort, then the 
analyses of Section 3.1 and this section shall be iterated for the 
affected hardware. 

3 « 2 • 3 Elements Related to Checkout and Monitoring - The propul- 
sion checkout and monitoring function requirements shall be incorporated 
into the propulsion system design and into the implementation criteria 
of the propulsion system sensors, the data management and control (DM&C) 
subsystem, the crew controls and displays, interfacing systems such as 
the hydraulic, pneumatic, and electrical systems, and the related ground 
support equipment (GSE) . 

3,2. 1.1 Propul sion System Elements - Propulsion system element 
additions and/or modifications shall be made as required to make the 
system amenable to checkout and monitoring. Examples of such config- 
uration changes include adding a bleed port downstream of a check 
valve to verify check valve operation; changing a bearing type to 
one for which failure detection methods can be implemented; or reloca- 
ting sensor installations to ensure that the selected location is 
satisfactory for obtaining the desired information. The propulsion 
system shall be continually evaluated during the identification and 
implementation of the checkout and monitoring requirements to ensure 
that its design minimizes the checkout and monitoring requirements, 
and is completely compatible with the implementation of those require- 
ments. 


3. 2. 1.2 Sensors - Sensors respond to the measured parameters 
of the propulsion subsystems and of the propulsion dedicated controls 
and provide outputs in a usable form to remote processors, or to the 
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subsystem interface units of the DM&C subsystem, or directly to the 
vehicle central computer complex via the vehicle data bus. Basic 
identification of candidate sensors, including type, range, allowable 
system error, and response, are made for the measured parameters 
identified by the analyses of Section 3.1. -Generation of final sen- 
sor specifications shall be made in conjunction with the allocation 
of functional capabilities to the DM&C subsystem elements in accordance 
with the guidelines of Paragraph 3.2.2. 

■3. 2 o 1.3 Interfaces - The implementation of the checkout and 
monitoring function for the propulsion system shall include the 
consideration and definition of interfaces with other onboard systems 
that involve propulsion checkout or control, such as the electrical 
and hydraulic systems. 

3. 2. 1.4 Ground Support Equipment (GSE) - The extent to which the 
propulsion system checkout and monitoring function is implemented by 
the use of ground support equipment shall be determined using the 
criteria and considerations identified in Paragraph 3.2.2. 

3. 2. 1.5 Data Management and Control (DM&C) Subsystem - The 
elements and configuration of the DM&C subsystem shown by bold 
blocks in Figure 3. 2. 1-1 are employed by this document to illustrate 
the relation of the DM5cC subsystem to the pertinent vehicle and 
support equipment elements. The degree of applicability of this 
configuration or others is dependent on final criteria and require- 
ments defined for the overall avionics system. 

3. 2.1. 5. .1 Central Computer Complex (CCC) - The central computer 
complex provides data processing capability for the Space Shuttle 
vehicle. The degree to which the CCC shall provide processing capabil- 
ity for propulsion system control, data evaluation, display, recording, 
functional testing and trend analysis shall be determined using the 
requirements of Section 3.1 as criteria, and the guidelines of Para- 
graph 3.2.2. The CCC shall store the propulsion system flight programs 
that are not stored in propulsion dedicated processors. It may also 
be used to store propulsion system data that is required to be retriev- 
able during flight. 

3. 2. 1.5. 2 Digital Data Bus - The vehicle data bus system provides 
the data communication link between the central computer complex and 
other DMSiC subsystem units. The implementation of the digital data 
bus (or alternate data transportation means) shall accommodate the 
propulsion system requirements and shall be compatible with the alloca- 
tion of capabilities as identified from the tradeoffs described in 
Paragraph 3.2.2. 




Figure 3. 2. 1-1 Elements Related to Propulsion System 
Checkout and Monitoring 









III-31 


3. 2. 1.5. 3 Subsystem Interface Unit (SIU) - SIUs form the inter- 
faces between the digital data bus and the elements of the user sub- 
systems, and between the digital data bus and remote units of the DM&C 
subsystem. The general functions of an SIU related to propulsion sub- 
systems are control and data acquisition. For the configuration shown 
in Figure 3. 2. 1-1, these functions include capabilities to receive and 
decode digital data bus transmissions, generate and apply electrical 
stimuli to se lected points of propulsion subsystems for control, 
acquire data from selected points of propulsion subsystems, and con- 
dition subsystem data as required to transmit intelligible responses 
to the CCC. Electrical power, conditioning and distribution for pro- 
pulsion system control reference voltages may also be implemented by 
SIUs . 

The extent to which SIUs shall perform data processing on propulsion 
systems data, and the extent to which SIUs shall be required to condi- 
tion propulsion system data shall be determined through tradeoff 
analyses. Paragraph 3.2.2 contains criteria that shall be used as a 
guide in defining the allocation of capabilities to SIUs and in defin- 
ing the number and types of SIUs. 

In addition to the capabilities that an SIU may possess to implement 
propulsion system requirements, it may possess capabilities required by 
other user systems or by the DM&C subsystem such as transmission error 
detection and protection, electrical power conditioning and distribution 
for internal use, electrical power control, and self-checking. The 
requirements for these capabilities shall be derived from the applicable 
program and subsystem requirements. 

3. 2. 1.6 Dedicated Remote Processors - Dedicated remote processors 
can be employed to perform the detailed checkout, monitoring, and con- 
trol functions of certain major subsystems of the Space Shuttle, such 
as the main and airbreathing engines. The communication between remote 
processors and the CCC is limited to high level commands such as engine 
start, thrust level, and engine shutdown, and responses such as self- 
check status, malfunction detection data, and performance data to be 
recorded. The allocation of capabilities to the remote processors and 
their associated SIUs and sensors shall consider the criteria factors 
of Paragraph 3.2.2. 

3.2. 1.7 R ecorders - Recording capability can be in the form of 
vehicle data storage devices, system or subsystem dedicated recorders, 
and/or CCC memory. Dedicated recorders can be used to accommodate 
subsystems that require recording of large quantities of performance 
data for postflight analysis. Similar data from other subsystems may 
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be recorded on the vehicle data storage devices. Data that must be 
retrievable during flight, such as system status, shall be recorded 
in the CCC memory, or in the vehicle data recorder if it has inflight 
data retrieval capability. 

3. 2. 1.8 Crew Controls and Displays - Manual controls for the 
propulsion systems provide for inputs such as thrust level selection 
for the airbreathing engines, control of the attitude control and 
maneuvering thrusters, and manual override capabilities as required. 
Crew displays of propulsion system data provide information to the 
crew relating to propulsion system status, hazard warnings and such 
other data as may be required to assist the crew in determining requi- 
site actions. Visual data displays may be augmented by audio or visual 
a larms . 
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3.2.2 Alloca ti on of Func t ional Capabilitie s - The functional 
capabilities that are required to perform the checkout and monitoring 
function for the Space Shuttle propulsion system are described in 
Section 3.1. The implementation of those capabilities shall be ac- 
complished in accordance with the guidelines of this paragraph. The 
implementation of the checkout and monitoring function shall consist 
of allocating the required functional capabilities to the various 
onboard and ground elements that are candidates for incorporating 
those capabilities. The allocation of functional capabilities shall 
be accomplished through tradeoff analyses that include as criteria 
the requirements derived in Section 3.1, the Space Shuttle program 
requirements, vehicle subsystem requirements, and the implementation 
guidelines contained herein. The implementation approach is outlined 
in Figure 3. 2. 2-1. 

3 . 2 . 2 . 1 Capability Requirements and Implementation Candidates - 
Section 3.1 identified data acquisition, data processing, recording, 
display, and stimuli generation as capabilites that are requisite to 
satisfying the checkout and monitoring function requirements for the 
propulsion systems. The matrix of Figure 3. 2. 2-2 reduces those 
capabilities to their basic functions and shows the relationship be- 
tween them and the elements that are candidates to incorporate them. 

The requirements for these basic functions and their derivations are 
discussed in subsequent paragraphs. 

3. 2. 2. 1.1 Dat a Acquisition - Data acquisition includes the 
sensing of a propulsion system measurement parameter (whether it is 
from a sensor or a crew control) and any signal conditioning required 
to be performed to put the data into a form which is usable in sub- 
sequent calculations or comparisons, or for another purpose such as 
recording or display. Calculations or comparisons may be done by 

a remote unit or by the cental computers. Implicit in data acquisi- 
tion is the tra ns p o rta tion of data from one element to another, 
the c onversion of data from one form to another that transportation 
requires, and any swi t ching involved to acquire the desired data. 

The measured parameter tabulation formulated in Paragraph 3. 1.2. 2. 4 
shall be included in the criteria to implement these fundamental 
functions. The translation of the entries of the measured param- 
eter tabulation into implementation criteria is shown in Table 3. 2. 2-1. 
For the purposes of this document, functions such as data formatting 
and data validation are considered the responsibility of the avionics 
system and shall not be further discussed herein. (While a dedicated 
remote processor or comparable unit may be assigned to the propulsion 
system, it is basically an avionics unit and its non-propulsion origin- 
ated characteristics would be governed principally by avionics design 
criteria . ) 
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TABLE 3. 2. 2-1 

TRANSLATION OF MEASURED PARAMETER TABULATION 
ENTRIES TO IMPLEMENTATION CRITERIA 


PARAMETER 
(Column 1) 

The parameter type provides identification of the 
basic sensor type. 

PROPULSION ELEMENT 
(Column 2) 

The identification of the associated propulsion 
element leads to the definition of the propulsion 
component/sensor interface. 

TIME OF ACTIVITY 
(Column 3) 

Used to define the intervals and magnitudes of the 
peak demands on vehicle resources, i.e.. data bus, 
processors, recorders, displays, and crew. Con- 
versely, periods of low activity or inactivity are 
defined during which conservation of resources mav 
be achieved through resource management. 

RANGE AND UNITS 
(Column 4) 

Used in the definition of required sensor ranges 
which may affect sensing element type; the defin- 
ition of SIU, remote processor and/or CCC range 
requirements . 

ALLOWABLE ERROR* 
(Column 5) 

Used to define the combined accuracy of the sen- 
sors, SIUs, remote processors, CCCs and displays 
used to acquire data. 

*A function of data usage. 

RESPONSE RATE 
(Column 6) 

Used to define the required sensor response, 
system sample rates and system reaction times. 

SAMPLE RATES 
(Column 7) 

Used to determine hardware speed requirement, 
processing speed and magnitude, and vehicle data 
bus rates. Sample rates are used as criteria for 
allocation of processing capability to SIUs 
versus central computer. 

DATA USAGE 
(Column 3) 

Used in the definition of sensor type, recording 
and display requirements, basic data processing 
requirements, and vehicle data bus requirements. 

Also affects allowable error. 
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3. 2. 2. 1.2 Data Processing - Data processing for the propulsion 
systems is basically comprised of the ca lcula t ions and/or c omparisons 
required to evaluate acquired data (whether done by a remote unit or 
the CCC), the calculations and/or comparisons required to determine an 
appropriate control signal, and the operations requisite to recording 
and displaying propulsion data including data tagging and r outing . 

The fundamental data processing requirements for data evaluation shall 
be derived from the data use, allowable error, and response rate entries 
of the measured parameter tabulation of Paragraph 3. 1.2. 2. 4. Similarly 
the basic processing for propulsion system control shall be identified 
in conjunction with the definition of stimuli requirements. Data proces- 
sing requirements for recording and display shall be derived from the 
recording and display requirements of Section 3.1 and the implementation 
of those requirements per the guidelines of this section. Other data 
processing requirements shall be derived from the simulation of sequences, 
events, and conditions during ground operations. 

3. 2. 2. 1.3 Electrical Stimuli - Control of the propulsion system 
requires the generation and application of external stimuli in addition 
to data acquisition, data processing, display, and crew action. The 
stimuli requirements of the propulsion elements (such as solenoid 
valves) are identified in accordance with Section 3.1. Additional 
stimuli requirements shall be derived from the final sensor specifica- 
tions. Sensor stimuli may include gating commands, self-check commands, 
and calibration reference signals. 

3. 2. 2. 1.4 Data Storage - The recording of propulsion system 
status, performance data, fault isolation data, operating history 
data, and the storage of propulsion system algorithms and control 
sequences derived from the analyses of Section 3.1 comprise the data 
s torage requirements for the propulsion systems. 

3.2.2. 1.5 Data Reporting - The propulsion system parameters and 
conditions for which data reporting (crew displays and alarms) is 
required are identified by the analyses of Section 3.1. 

3. 2. 2. 2 Capability Allocation Criteria - The general criteria 
that shall be considered in the allocation of capabilities to onboard 
and ground equipment are : 

Space Shuttle program requirements 

Space Shuttle propulsion system requirements and characteristics 
Space Shuttle avionics requirements 
Space Shuttle environmental requirements 
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Minimization of: 

New development requirements 

Ground support requirements 

Unique hardware, software, and procedures 

Maximization of: 

Modularity 

Commonality 

Maintainability 

Reliability 

Hardware and software simplicity 

Another general consideration for the allocation of functional 
capabilities is that of ease of subsystem development; that is, the 
level of development possible at the subsystem level is largely 
dependent on the distribution of capabilities among the system ele- 
ments. 

The specific implementation criteria for the allocation of capa- 
bilities shall be established by conducting the tradeoff analyses 
described in the following paragraphs. These analyses principally 
establish criteria for the allocation of the signal conditioning and 
data processing capabilities among the sensors, subsystem interface 
units, remote processors and the central computers. 

3. 2. 2. 2.1 Sensors - Basic sensor criteria shall be derived 
from Columns 1, 2, 4, 5, 6, and 8 of the measured parameter tabu- 
lation (see Table 3. 2. 2-1). A determination of whether an analog or 
a discrete output is required from the sensing element can be made 
from that criteria. The results of that determination shall be used 
in the definition of the signal conditioning and data processing 
requirements for the parameter under consideration. 

Evaluation of the relative merits of consolidated (SIU or remote 
processor) versus distributed (sensor) signal conditioning shall be a 
primary factor in determining the extent of signal conditioning to be 
incorporated into sensors. The advantages of distributed signal con- 
ditioning are increased redundancy and the ability to trim a signal 
conditioner to a particular sensor. The advantages of consolidated 
signal conditioning are reductions in the power consumption, weight, 
and size of the signal conditioning equipment. The selection of 
sensing element type shall be done in conjunction with the definition 
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of the signal conditioning equipment required for that sensor and shall 
include consideration of exposure to the propulsion system induced and 
natural environment. 

A determination of the extent to which data evaluation capability 
shall be incorporated into sensors shall be performed considering the 
usage of the sensor output data, the sensor output interface (see next 
paragraph), sensor mounting options, weight, power, size, redundancy, 
flexibility, vehicle data bus traffic, and data processing requirements. 

An evaluation shall be made to determine whether a sensor output 
should interface directly with the vehicle data bus, or with an SIU 
or remote processor. Reaction time requirements for safety and control 
shall be a primary consideration in this evaluation. Other criteria 
to consider are the reductions in hardware power, weight, size, vehicle 
data bus traffic, and data processing requirements when the communica- 
tion capability for a number of sensors is consolidated into an SIU or 
a remote processor versus the increase in redundancy and system flexi- 
bility with individually addressable sensors. The results of this eval- 
uation shall be used in the definition of sensor electrical interfaces. 

Sensor electrical interfaces shall also include the definition 
of interfaces for sensor control commands and sensor electrical exci- 
tation. Sensor output enable and/or sensor self-check command require- 
ments are dependent on the capabilities allocated to the sensor. The 
interface (s) for sensor electrical excitation depend on the power 
requirements of previously allocated sensor capabilities, the require- 
ments for calibration references, and the determination of the optimum 
allocation of power conditioning capability. 

The mechanical interfaces of sensors with the propulsion elements 
shall be defined considering such aspects as accessibility, maintain- 
ability, environment, the effects of location on sensitivity and fidelity, 
calibration requirements, mounting torque, and the moments of externally 
mounted assemblies. 

Sensor accuracy shall be specified in conjunction with the accura- 
cies of the other onboard elements (SIUs, remote processors, central 
computers, displays) such that the total allowable error specified for 
the associated measured parameter is not exceeded. Error allocation 
shall account for error sources whether they are random or time progres- 
sive and the relative cost to design and maintain each error allocation 
to attain the most favorable long life/cost characteristics. 
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Final sensor specifications shall include: parameter type; sensing 

element type; range; accuracy; sensitivity; frequency response; environ- 
ment (s); operational and service life; electrical and mechanical inter- 
faces; physical limitations; self-check requirements; and calibration 
requirements and/or restrictions (including restrictions on adjustments). 

The assignment of sensor outputs to SXUs or remote processors 
shall be done in conjunction with the definition of those units. 

3*2. 2. 2. 2 Subsy stem Interface Units - The functional redundancy 
of the propulsion subsystem and proximity to those subsystems shall be 
primary considerations in the definition of the number of subsystem 
interface units (or portions thereof) assigned to service the propul- 
sion subsystems. 

Tradeoffs for the allocation of signal conditioning, data proces- 
sing and stimuli generation are the principal criteria for establishing 
the types of SIUs that are optimum in accommodating the propulsion 
system requirements. Signal conditioning requirements shall be 
established through tradeoffs as described under sensors (Paragraph 
3. 2. 2. 2.1); that is, distributed versus consolidated signal condition- 
ing where the results influence system power, weight, size, redundancy, 
flexibility, and failure detection capability. The amount of signal 
conditioning required shall also be considered in establishing the 
number of SIUs for propulsion system service. 

Data processing capability shall be traded off among sensors, 

SIUs, and central computers considering the actions, reactions and 
corresponding times required for propulsion system control; vehicle 
data bus traffic rates; central computer processing requirements; 
system power, weight, and size; system reliability and redundancy; 
ease of fault detection, fault isolation, and redundancy management; 
and simplicity of software development. 

The extent of electrical power conditioning and distribution 
by SIUs for propulsion system stimuli or excitation shall be deter- 
mined from the control requirements (both functional and checkout 
dictated) identified in Section 3.1. The extent of electrical power 
conditioning and distribution for sensor electrical excitation shall 
be determined in conjunction with the allocation of sensor capabilities 
and error budgets and shall consider the relative merits of consolidated 
versus distributed power conditioning. The requirements for the 
generation of stimuli for sensor control shall also be determined in 
conjunction with allocation of sensor capabilities. 
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3. 2. 2. 2. 3 Remote Processors - The quantity and speed requirements 
of data processing for control and fault detection are driving factors 
in the determination of whether or not remote processors shall be 
dedicated to major propulsion subsystems. Another major consideration 
is that the use of remote processors permits greater development of 
major subsystems prior to system and vehicle integration. 

The allocation of data processing, signal conditioning, stimuli 
generation, and electrical power conditioning and distribution capa- 
bilities to remote processors shall consider the same criteria used 
for the allocation of capabilities to sensors and SIUs with the excep- 
tion that a remote processor should accommodate as much of the proces- 
sing requirement of the associated subsystem as possible. External 
processing should be principally for system control or long term trend 
analysis and redundancy management. 

The implementation of a remote processor shall also consider its 
proximity to the associated propulsion subsystem, the functional redun- 
dancy of the propulsion subsystem, the criticality of each interface 
with the propulsion subsystem, and the degree of flexibility that is 
required to accommodate potential changes in requirements. 

3. 2. 2. 2. 4 Recorders - The implementation of the propulsion system 
recording requirements identified in Section 3.1 shall consider the 
peak rate of the propulsion system data to be recorded, the period of 
time for which data must be retained, the total recording capacity 
required for propulsion system data, the requirement to provide in- 
flight retrieval of propulsion system status and fault isolation data, 
the requirement to adequately tag data for postflight evaluation, and 
the flexibility to accommodate changes in recording requirements based 
on mission requirements or on system trends. 

3. 2. 2. 2. 5 Displays - The implementation of the propulsion system 
display requirements identified in Section 3.1 shall consider the 
criticality of the data as a principal factor in determining the type 
and redundancy of the reporting device (s) to be used. In addition to 
data criticality, the implementation of displays for propulsion system 
data shall consider the mission time, event, or time duration during 
which the display is required, the crew action required as a result 

of the display, the location of a display relative to other displays 
on which related data is presented, and the desirability of augmenting 
critical displays with alarms. 

3. 2. 2. 2. 6 Data Bus - In addition to fulfilling the requirements 
of other vehicle systems, the configuration of the vehicle data bus 
shall accommodate the propulsion system checkout, control, and monitoring 
requirements identified in Section 3.1 and shall be compatible with the 
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allocation of functional capabilities for those requirements as deter- 
mined by the guidelines of this section. The data bus design shall 
consider the reaction time requirements of the propulsion system, the 
criticality of accurate transmission of propulsion system commands and 
responses, the peak data traffic requirements of the propulsion system 
in conjunction with the requirements of the other vehicle systems, and 
the flexibility to accommodate changes in requirements. 

3. 2. 2. 2. 7 Central Computer Complex - The implementation of the 
vehicle central computer complex shall use the propulsion system require- 
ments derived in Section 3.1 and the allocation of capabilities defined 
in this section as criteria. The definition of central computer data 
processing requirements for propulsion shall be made in conjunction 

with the allocation of data processing capability to the sensors, SIUs , 
and remote processors. The propulsion system checkout, control and 
monitoring requirements shall be included into the criteria for deter- 
mining central computer instruction repertoire, instruction execution 
time, memory size, redundancy, and operational flexibility. 

3. 2. 2. 2. 8 Ground Support Equipment - The extent to which the 
checkout and monitoring function requirements of the Space Shuttle 
propulsion systems are implemented by ground support equipment shall 
be determined by tradeoff analyses considering: 

Space Shuttle turnaround time and maintenance concepts 

Space Shuttle capability to land at a remote site 

Postflight checkout and evaluation requirements 

Maintenance retest requirements 

Preflight checkout and functional testing requirements 
Inflight versus ground requirements 
Available airborne technology 

Size, weight, and power consumption of the necessary onboard 
equipment 

Safety 


Crew participation 
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4.0 COMPLIANCE VERIFICATION 


This section identifies the approach by which the intent of this 
document shall be verified. It delineates the documentation require- 
ments of the contractor and the functions of the Procurement Agency 
in ensuring that the requirements of the onboard checkout and monitor- 
ing function are completely and accurately defined and that all appro- 
priate criteria are considered in the implementation of those requirements. 

The contractor shall satisfy the requirements of this section in 
addition to all of the detailed requirements defined in the statement 
of work or other parts of the contract. 

Table 4.0-1 references the paragraphs of this section to the 
applicable paragraphs of Section 3.0. 

The contractor shall develop and implement a Compliance Verification 
(CV) plan to effectively support the development of the OCMF. The CV 
programs of the contractor and his subcontractors shall be subject to 
continuous evaluation and inspection by the Procurement Agency during 
all phases of the contract to verify that the requirements of the CV 
program have been met. The contractor shall provide the Procurement 
Agency with information, documents, and records in the performance of 
his duties. 


4.1 Compliance Verification Plan - The contractor shall implement 
a Compliance Verification Plan responsive to the requirements of this 
document. The plan shall describe a documented system for verifying 
contractor compliance with the requirements of this document. 

The CV plan shall be submitted to the Procurement Agency for 
approval within the time interval specified in the contract. The 
format shall contain or reference CV procedures that describe all 
applicable activities in terms of what , how, and w hen the required 
operations will be performed. The plan shall include: charts and 

narrative statements that describe the contractor's organization; 
statements of duties, functions, and responsibilities relating to 
each CV task; and descriptions and definitions of the contractor's 
execution and management of each task. The tasks shall be described 
in terms of what, when, by whom, and by what methods each task will 
be accomplished. Applicable contractor policies and procedures shall 
be referenced in the plan. 

4.1.1 Documentation Requirements - The documentation requirements 
of the contractor and the Procurement Agency related to OCMF shall be 
specified in the contract statement of work and the CV plan, and will 
include the requirements contained herein. Figure 4. 1.1-1 shows the 
documentation flow. 



TABLE 4.0-1 

C ROSS REFERENCE OF COMPLIANCE VERIFICATION PARAGRAPHS TO REQUIREMENTS PARAGRAPHS 
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Figure 4. 1.1-1 Documentation Flow 



4 . 1 . 1 . 1 Guidelines for Incorporation of the Onboard Checkout a nd 
Monitoring Function on the Space Shuttle - The Procurement Agency will 
provide the contractor with this document during contract definition. 

4. 1.1. 2 Propulsion System Functional and Operational C riteria - 
These criteria shall include program requirements, mission requirements, 
and vehicle system and ground system requirements. 

4. 1.1. 2.1 Program Requirements - The Procurement Agency will 
supply all applicable program requirements to the contractor at the 
time of contract go-ahead. Requirements,' specifications, concepts, 
guidelines and restrictions on such items as failure tolerance cri- 
teria, abort criteria, and crew interface criteria shall be included. 
Program requirement changes shall be subject to the provisions of the 
contract . 

\ 

4. 1.1. 2. 2 Mission Requirements - The Procurement Agency will 
supply all applicable mission requirements to the contractor at the 
time of contract go-ahead. The mission requirements shall include 
the mission timelines, sequences of event, and objectives for each 
mission phase. Mission requirement changes shall be subject to the 
provisions of the contract. 

4. 1.1. 2. 3 Vehicle and Ground System Requirements - The Procurement 

Agency will provide the contractor with descriptions of the propulsion 
system functional operating requirements on a mission phase basis. These 
requirements will be supplied at the time of contract go-ahead and shall 
include: propulsion system modes of operation and associated sequences, 

frequencies, and durations; definitions of propulsion system physical 
and functional interfaces with other vehicle systems, the launch facil- 
ity, propellant loading system, and mechanical and electrical ground 
support equipment at the launch pad, the landing site, and in the 
maintenance areas. The level of definition of these items by the 
Procurement Agency will serve as baseline requirements from which the 
contractor shall develop detailed definitions and designs. Requirement 
changes shall be subject to the provisions of the contract. 

4. 1.1. 3 Propulsion Hardware Definition - The propulsion system 
hardware definition shall consist of schematics, configuration draw- 
ings, and component definitions. The hardware definitions shall be 
submitted for Procurement Agency evaluation and approval at propulsion 
system conceptual, preliminary, and critical design reviews, and the 
documentation for the final propulsion system design shall be submitted 
during the propulsion system acceptance review. 
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4. 1.1. 3.1 Propulsion Conceptual Design Review - The contractor 
shall submit a conceptual propulsion system design to the Procurement 
Agency for evaluation and approval at the time specified in the con- 
tract. The conceptual design shall include complete schematics to 

the component level and system configuration diagrams. These schematics 
and diagrams shall show interfaces with other vehicle systems and with 
ground equipment. 

I 

The conceptual propulsion system design will be evaluated by the 
Procurement Agency for checkout and monitoring function considerations 
(in addition to all other considerations) to verify, at a minimum, 
that: 

(a) The design complies with the specified failure tolerance 
criteria; 

(b) Single point failures have been eliminated or identified; 

(c) The design meets the specified functional and operational 
requirements . 

4. 1.1. 3. 2 Propulsion Preliminary Design Review (PDR) - The 
contractor shall submit a preliminary propulsion system design to 
the Procurement Agency for evaluation and approval at the time speci- 
fied in the contract. Schematics, configuration diagrams, preliminary 
component and interface definitions shall be included in the review. 

The preliminary propulsion system design will be evaluated by the 
Procurement Agency for checkout and monitoring function considerations 
to verify, at a minimum, that: 

(a) The design complies with the specified failure tolerance 
criteria ; 

(b) Single point failures have been eliminated or identified; 

(c) The design meets the specified functional and operational 
requirements; 

(d) The design is amenable to checkout and monitoring. 

4 . 1 . 1 . 3 . 3 Propulsion Critical Design Review (CDR) - The contractor 
shall submit a detailed propulsion system design to the Procurement 
Agency for evaluation and approval at a critical design review. The 
propulsion system design will be evaluated by the Procurement Agency 
for checkout and monitoring considerations to verify, at a minimum, that 
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(a) The design complies with the specified failure tolerance 
criteria ; 

(b) Single point failures have been eliminated or identified; 

(c) The design is amenable to checkout and monitoring; 

(d) The design meets the specified functional and operational 
requirements ; 

(e) The interfaces related to the checkout and monitoring func- 
tion requirements have been completely and accurately defined. 

4.1. 1.3.4 Propulsion System Acceptance Review - The contractor 
shall submit the final propulsion system design to the Procurement 
Agency for evaluation and approval at the propulsion system acceptance 
review. The final propulsion system design will be evaluated by the 
Procurement Agency for checkout and monitoring considerations using 
the same criteria by which the design was evaluated for the CDR. 


4. 1.1.4 Control Sequence and Operational Logic Diagrams - The 
contractor shall submit these diagrams for Procurement Agency evaluation 
and approval during the propulsion system PDR, CDR, and Acceptance 
Reviews. These diagrams will be evaluated by the Procurement Agency 
to verify, at a minimum, that: 


(a) 

(b) 

(c) 

(d) 

(e) 

(f) 


All control logic is shown; 

All conditions for control are shown; 
All operating modes are shown; 

All redundancies are shown; 

All interfaces are shown; 

All failure reactions are shown. 


4. 1. i.5 Failure Modes and Effects Analysis (FMEA) - The contractor 
shall submit his procedures and ground rules for conducting the FMEA 
(for propulsion system checkout and monitoring purposes) to the Procure- 
ment Agency for evaluation and approval at the time specified in the 
contract. The contractor shall conduct the FMEA in accordance with the 
approved procedures and ground rules and shall submit the results to 
the Procurement Agency for evaluation and approval at the propulsion 
system conceptual, preliminary, and critical design reviews, and at 
the acceptance review. The level to which the FMEA shall be conducted 
for the successive reviews shall be identified by the ground rules and 
procedures. The FMEA results will be evaluated by the Procurement 
Agency to verify, at a minimum, that: 
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(a) All failure modes have been identified; 

(b ) The failure mechanisms are sufficiently understood to specify 
failure detection methods; 

(c) The specified failure reaction times are correct; 

(d) The specified failure effects are correct; 

(e) Detection methods or recommended alternatives have been 
identified for all failure modes; 

(f) The recommended failure detection method is compatible with 
the failure reaction time; 

(g) The failure detection method is capable of faithfully identi- 
fying the specified failure mode and cannot create false 

a larms ; 

(h) The failure detection method has been sufficiently demonstra- 
ted to provide confidence in its use in this application; 

(i) Redundancies have been accounted for and justified. 

4 . 1 . 1 . 6 Line Replaceable Unit (LRU) Identifications - The con- 
tractor shall submit LRU identifications to the Procurement Agency 
for evaluation and approval at the propulsion system PDR, CDR, and 
acceptance reviews. The LRU identifications will be evaluated by 
the Procurement Agency to verify, at a minimum, that: 

(a) The LRU identifications comply with the Shuttle maintenance 
concepts and timelines; 

(b) The LRUs are capable of being fault isolated; 

(c) The identified LRUs have adequate accessibility; 

(d) The LRUs have been optimally selected in terms of the number 
of mechanical and electrical attachments involved; 

(e) Where practical, the LRUs do not contain components that are 
known to vary widely in life expectancy; 

(f) The LRUs provide a logical breakout of redundant paths or 
elements ; 

(g) The LRU selection is logical in terms of minimizing ground 
equipment for post-installation retest requirements and 
simplicity in retest procedures. 
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4. 1.1. 7 Checkout and Monitoring Functional Requiremen ts - The 
contractor shall submit the results of the propulsion system checkout 
and monitoring requirements analysis to the Procurement Agency for 
evaluation and approval at the propulsion system preliminary and crit- 
ical design reviews and at the acceptance review. 

4. 1.1. 7.1 Display Requirements - The display requirements will 
be evaluated by the Procurement Agency to verify, at a minimum, that: 

(a) The display requirements are consistent with the program 
guidelines ; 

(b) The recommended display information is of real value to 
the crew; 

(c) The recommended types of displays are adequate; 

(d) The recommended display redundancy is consistent with the 
criticality of the information being displayed; 

(e) The event or period for which the display has significance 
has been identified; 

(f) The crew action associated with the display has been 
identified . 

4. 1.1. 7. 2 Recording Requirements - The recording requirements 
will be evaluated by the Procurement Agency to verify, at a minimum, 
that : 

(a) The use of the recorded data has been identified and justi- 
fied; 

(b) The time interval for which data must be retained has been 
identified; 

(c) Data that must be retrievable during flight has been identi- 
fied as such; 

(d) The mission period or event for which the data has signifi- 
cance has been identified; 

(e) The peak rates associated with the data have been identified 
and justified. 
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4. 1.1. 7. 3 Data A cq uisition Requirements - The contractor shall 
submit the initial data acquisition requirements tabulation, the opti- 
mized list of measured parameters, and the rational justifying the 
retention or elimination of parameters to the Procurement Agency for 
evaluation and approval. The data acquisition requirements will be 
evaluated by the Procurement Agency to verify, at a minimum, that: 

(a) All parameters have been uniquely identified; 

(b) The propulsion element with which the parameter is associ- 
ated has been adequately identified; 

(c) The parameter ranges and expected values for all conditions 
for which the data has significance have been completely 
identified; 

(d) The total uncertainty within which the value of a parameter 
must be known has been specified and is compatible with the 
indicated data usage; 

(e) Parameter response rates of significance have been completely 
and accurately specified; 

(f) The specified sample rates are commensurate with the indica- 
ted response rates and reaction times; 

(g) The use(s) of the parametric data have been identified and 
all uses have been justified; 

(h) The time intervals, operations, or conditions for which the 
data is meaningful have been identified; 

(i) All data sources have been evaluated and the listed parameters 

satisfy all of the checkout and monitoring functional require- 
ments ; : 

(j) Discriminants have been completely identified relating the 
recommended parameters to specific failure modes identified 
by the FMEAs; 

(k) The parameter list includes operational conditions such as 
manual control settings; 

(l) Measured parameters have been selected for all derived 
parameters and have been justified; 
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(m) Corrective actions have been defined for all identified 

parameters for which measurement techniques are unavailable. 

4. 1.1. 7. 4 Stimuli Requireme nts - The stimuli requirements will 
be evaluated by the Procurement Agency to verify, at a minimum, that: 

(a) The specified stimuli requirements are consistent with the 
propulsion component definitions; 

(b) The specified requirements meet all of the propulsion system 
control requirements; 

(c) Sufficient speed and accuracy margins have been specified; 

(d) All sensor stimuli requirements have been specified. 

4. 1.1. 7. 5 Data Processing Requirements - The data processing 
requirements will be evaluated by the Procurement Agency to verify, 
at a minimum, that: 

(a) Data processing requirements have been identified for each 
control, monitoring, recording, display, simulation, and 
data evaluation requirement; 

(b) The frequency and required rate of processing has been 
specified for each requirement; 

(c) The interval during which the specified processing is re- 
quired has been identified; 

(d) The processing requirements include identification of the 
data routing and tagging associated with the checkout and 
monitoring function. 

4 . 1 . 1 . 7 . 6 Related Ground Support Equipment (GSE) Requirements - 
The related GSE requirements will be evaluated by the Procurement 
Agency to verify, at a minimum, that: 

(a) The ground support items related to checkout and monitoring 
during postflight checkout and evaluation, maintenance re- 
test, and prestart checkout have been identified; 

(b) The recommended GSE items are compatible with the Shuttle 
turnaround time and maintenance concepts; 

(c) Rationale has been provided to indicate why GSE was selected 
instead of onboard equipment. 
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4. 1.1. 7. 7 Simulation Requirements - The simulation requirements 
will be evaluated by the Procurement Agency to verify, at a minimum, 
that : 

(a) The simulation requirements cover all modes of propulsion 
system operation; 

Alternatives have been recommended where conditions have 
been judged to be impractical or not cost effective; 

The simulation is not so extensive as to degrade the effec- 
tiveness of the ground prestart checkout procedures. 

4. 1.1. 7. 8 Inspec t io n Requirements - The inspection requirements 
will be evaluated by the Procurement Agency to verify, at a minimum, 
that : 

(a) Rationale is available justifying the selection of the 
recommended inspection, technique over checkout by onboard 
equipment ; 

(b) The inspection requirements were included in the propulsion 
system design on which the checkout and monitoring require- 
ments analysis was conducted; 

(c) The inspection procedures have been integrated into coordin- 
ated postflight evaluation procedures. 

4. 1.1. 7. 9 Sensor Requirements - Tire contractor shall submit 

a candidate sensor list to the Procurement Agency for evaluation and 
approval at the PDR, a recommended sensor list and sensor specifica- 
tions at the CDR, and sensor criteria and identification during the 
acceptance . review; The sensor requirements will be evaluated by the 
Procurement Agency to verify, at a minimum, that: 

(a) The recommended sensor type is best suited to the accuracy, 
response, and environment requirements and to the intended 
data usage; 

(b) The sensor interfaces have been completely and accurately 
defined ; 

(c) The recommended location and mounting technique is optimum 
in terms of the quality of the desired parameter data;, 

(d) Satisfactory sensor checkout and/or calibration procedures 
have been established; 


(b) 

(c) 
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(e) The recommended sensor redundancy is consistent with the 
program guidelines on critical data; 

(f) Those sensors that must be line replaceable units have been 
identified as such; 

(g) The recommended sensors have operational and service life 
ratings compatible with the intended application. 

4. 1.1. 8 Prop ul sion Sy ste m Interface Definitions - The contractor 
shall submit definitions of the propulsion system interfaces with other 
onboard and ground systems that involve propulsion system checkout and 
control to the Procurement Agency for evaluation and approval. The 
interface definitions will be evaluated by the Procurement Agency to 
verify, at a minimum, that: 

(a) The interface definitions completely specify all applicable 
characteristics such as magnitude, level, rate, polarity, 
phasing, force, torque, pressure, frequency, loading, etc; 

(b) The interface definitions meet the applicable failure tol- 
erance criteria; 

4. 1.1. 9 Implementation - The implementation of the propulsion 
system OCMF requirements requires the basic identification of the 
functional elements that are candidates for implementing the OCMF, 
and the definition and conduct of trade studies to identify the 
optimum allocation of required OCMF capabilities to the selected 
implementation candidates. 

Typical elements that are candidates for implementing the pro- 
pulsion system OCMF requirements are defined in Section 3.2.1 and 
consist of propulsion system elements, sensors, vehicle avionics, 
other interfacing onboard systems, and related ground equipment. 

Of these elements, sensors, propulsion system elements, recorders, 
displays, interfacing non-avionics systems, ground support equipment, 
and the crew are elements that are required by all candidate config- 
urations. However, the degree of usage of each element for implementing 
the OCMF requirements can vary from one configuration to another. 
Therefore, the primary task in identifying candidate elements for OCMF 
requirements implementation is the definition of the basic configura- 
tion of the avionics elements (data management and control subsystem 
in Section 3.2) that are required for data acquisition, data processing, 
data transportation, and the control functions of the vehicle subsystems. 

The contractor’s responsibilities in selecting implementation 
candidates will depend on the level of vehicle systems definition by 
the Procurement Agency. If the implementation candidates have not 
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been sufficiently defined by the Procurement Agency, the contractor 
shall do so per the guidelines of Section 3.2. The Procurement Agency 
will evaluate the contractor recommended implementation candidates per 
the guidelines of Paragraph 4. 1.1. 9.1. 

Procurement Agency approved implementation candidates shall be 
used by the contractor to define and conduct trade studies in which 
the propulsion OCMF requirements shall be allocated to the selected 
implementation candidates per the guidelines of Section 3,2. The 
definitions and results of these trade studies will be evaluated by 
the Procurement Agency per the guidelines of Paragraph 4. 1.1. 9. 2. 

The selected implementation candidates, together with the propul- 
sion system checkout and monitoring function requirements and their 
approved allocations, shall become formal design requirements for the 
applicable onboard and ground systems. Other criteria, compliance 
verification, and quality assurance requirements governing the design, 
fabrication, and test of the affected systems shall be the subject 
of the appropriate system requirements. 

4. 1.1. 9.1 Implementation Candidates - The contractor shall make 
the basic identification of the vehicle and ground system functional 
elements that are candidates for implementing the propulsion system 
OCMF requirements (and other vehicle system requirements) to the extent 
specified in the contract. The contractor shall submit his recommended 
implementation candidates to the Procurement Agency for evaluation and 
approval. The criteria by which the Procurement Agency evaluates the 
implementation candidates will include: 

Weight, cost, size, power requirements. 

- Requirements of all vehicle systems. 

System complexity versus flexibility. 

System fault tolerance. 

Turnaround time objectives and maintenance concepts. 

Development risks. 

Reliability. 

Environmental protection and control requirements. 
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4. 1.1.9. 2 Capab i lity Allocation Trade Studies - The contractor 
shall define and conduct trade studies to allocate -the capabilities 
required for propulsion system checkout and monitoring to the selected 
implementation candidates. The trade study definitions and results 
shall be submitted to the Procurement Agency for evaluation and approval. 
The trade study definitions and results will be evaluated by the Pro- 
curement Agency to verify, at a minimum, that: 

(a) The allocations satisfy the data acquisition, data processing, 
control, data storage and reporting requirements identified 

by the analysis required in Section 3.1 of this document; 

(b) Reaction time requirements for safety and control have been 
met ; 

(c) Environmental requirements have been met; 

(d) The desired degree of flexibility has been achieved; 

(e) The specified failure tolerance criteria has been met; 

(f) The allocations meet the reliability goals; 

(g) Self- check and/or calibration requirements have been met; 

(h) Ground versus onboard allocations are compatible with pro- 
gram objectives; 

(i) Crew safety requirements have been met; 

(j) The allocations are compatible with turnaround time objec- 

maintenance concepts, and remote landing site require- 
ments; 

(k) Weight, cost, size, and power consumption have been given 
adequate consideration; 

(l) New development requirements, ground support requirements, 
and unique hardware, software, and procedures have been 
minimized ; 

(m) The allocations lend themselves to modularity, commonality, 
maintainability and ease of development; 

(n) The allocations do not result in excessive complexity or 
development risk; 

Xo) The allocations are consistent with the optimum sensor 
locations and mounting technqiues; 



The recommended allocations do not require excessive environ- 
mental control provisions; 

Equipment location in the vehicle has been adequately consid- 
ered ; 

The allocations are compatible with the requirements of other 
vehicle systems, including the crew; 

Mechanical and electrical interfaces have been completely 
and accurately defined; 

The allocations lend themselves to long term accuracy 
stability ; 

The allocations provide adequate margin in operating and 
service life requirements; 

The recommended allocations are amenable to ease of fault 
detection and redundancy management. 
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5.0 NOTES 


This section lists and defines terms and abbreviations used in 
this document. 

5.1 Definitions - An alphabetical listing of definitions follows: 

CAUTION AND WARNING DISPLAY : the technique used to alert and inform 

the crew of the existance of an abnormal condition. 

CENTRAL COMPUTER COMPLEX : the primary system of data processing for 

the vehicle. 

CHECKOUT : the function of determining the capability of an element 

or system to perform its specified functional operations. 

COMPONENT OPERATING HISTORY DATA : data identifying the accumulated 

functional operations (such as numbers of cycles, time above a speci- 
fied temperature, etc.) of a component. 

CONTROL : the function of starting, stopping, changing or otherwise 

regulating the functional operations of an element or system. 

CONTROL SEQUENCE AND OPERATIONAL LOGIC DIAGRAM : a system analysis 

tool that defines detailed sequences and conditions of operation of 
a system. 

DATA ACQUISITIO N: the process of sensing, signal conditioning to a 

usable form and transporting data to its destination. 

DATA PROCESSING : the calculations and/or comparisons required to 

evaluate acquired data and to determine appropriate commands, and the 
operations requisite to recording and displaying data including data 
identification and routing. 

DERIVED PARAMETERS : a parameter whose magnitude is established by 

applying a mathematical relationship to other parameters. An example 
of a derived parameter is flow rate calculated from temperature (density) 
and differential static pressure. 

D ISCRIMINANT : the criteria by which acquired data is evaluated to 

judge the performance or operational condition of the corresponding 
propulsion system or element. 

EMERGENCY DETECTION : the detection of an abnormal condition that can 

progress into a catastrophic effect. 
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FAULT DETECTION : the determination that an element or system is per- 

forming outside its specified functional operational limits. 

FAULT ISOLATI ON: the identification of the element or group of elements 

that performed or is performing outside its specified functional opera- 
tional limits. 

FAULT PREDICTION : the determination made through trend analysis that 

the performance of an element or system has an unacceptably low proba- 
bility of remaining within specified limits. 

FLEET TRENDS : information pertaining to performance characteristics 

and maintenance requirements of the fleet of vehicles during successive 
missions . 

FUNCTIONAL ELEMENT ; an element that provides a function in addition 
to or other than structural integrity, and is capable of functional 
operation. 

FUNCTIONAL OPERATION : the change of state or condition of an element 

or system such as a response to a control command. 

FUNCTIONAL TESTING : checkout that is performed by inducing functional 

operations or a sequence of functional operations on an element or 
system. 

GROUND SUPPORT EQUIPMENT : for checkout and monitoring, the equipment 

that is needed, in addition to the onboard equipment, to accomplish 
the checkout and monitoring functions. 

LINE REPLACEABLE UNIT : an element or group of elements that can be 

removed, replaced and retested within the constraints of the vehicle 
turnaround cycle timeline. 

MAINTENANCE : those functions and activities associated with restor- 

ing the vehicle to an operational condition between flights. 

MAINTENANCE RETEST : the function of verifying the capability of a 

system to perform its prescribed functional operations subsequent 
to maintenance activities. 

M EA SUREME N T ; a single source of data relating to the magnitude of a 
parameter . 


MEASURED PARAMETER : a parameter that can be measured directly. 
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MISSION PHASES : the repetitive set of discrete, sequential ground and 

flight operations of the Space Shuttle. 

MONITORING : the function of determining whether an element or system 

is performing its functional operations with specified limits. 

PARAMETER : a physical characteristic , state or condition. Examples 

include position, temperature, and flow rate. 

POSTFLIGHT EVALUATION : the function of identifying elements that require 

maintenance either because they have not performed their functional 
operations within specified limits, or because their trend of perform- 
ance indicates that the specified performance will not be attained 
during the next functional operation or flight. 

POSTFLIGHT SAFING AND PURGING ; those operations conducted after land- 
ing to place the vehicle in a safe, inert condition. This operation 
can include venting pressure vessels, draining propellants and purging 
tanks and lines, safing and removing pyrotechnic devices, etc. 

PRES TART ; a period immediately prior to initiation of a functional 
operation of an element or system, either on the ground or in flight. 

PRESTART CHECKOUT : an evaluation conducted just prior to initiation 

of a functional operation to assess the capability of the element or 
system to operate within specified performance limits. 

POSTFLIGHT CHECKOUT : checkout performed during postflight safing and 

purging operations. 

REDUNDANCY MANAGEMENT : the function of reacting to the detecting of 

an existing or potential fault by activating a redundant path, function 
or element to alleviate the condition. 

RE DUNDANCY VERIFICATIO N : assessment of the capability of redundant 

functional elements to perform their specified functional operations. 

REMOTE PROCESSOR : a computer which performs data processing and control 

sequences in response to commands from the central computer complex. 

SELF- CHECK : the process by which a functional element assesses its own 

operational integrity and readiness. 

SEN SOR: a functional element that responds to a physical quantity or 

event and converts that response to transmissible data which is propor- 
tional to the magnitude of the quantity or indicates the occurence of 
the event. 

STATUS VERI FICATION : verification that parameters are within specified 

limits or at specified values. 
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STIMULUS : an excitation or forcing function that is applied from a 

source external to a functional element. 

SUBSYSTEM INTERFACE UNIT : an intermediary that interfaces a user 

subsystem (e.g., a propulsion subsystem) to the vehicle avionics 
system. An SIU performs a control function by translating avionics 
system commands into stimuli for the user subsystem and acquires 
data from the user subsystem for use by other vehicle and ground 
systems „ 

TREND ANALYSIS : the identification of changes in performance of an 

element or system during successive functional operations or flights, 
and the evaluation of such changes to determine the probabilities of 
performance degrading outside specified limits in subsequent functional 
operations or flights. 

5.2 Abbreviations - Abbreviations used in the text of this document 
are defined as follows : 

OCMF Onboard Checkout and Monitoring Function 

LRU Line Replaceable Unit 

GSE Ground Support Equipment 

NASA National Aeronautics and Space Administration 

MSFC Marshall Space Flight Center 

DM&C Data Management and Control 

CCC Central Computer Complex 


SIU 


Subsystem Interface Unit 



